Skip to main content

Version 1.0.0

Release Date: March 2026

Overview

Initial release of Crypto Shop Backend - a production-ready e-commerce backend with TRON blockchain payment integration, JWT authentication, and real-time notifications. Developed by: Pedro Luis Ramos Calla

Features

Authentication & Authorization

  • JWT-based authentication with access and refresh tokens
  • HttpOnly cookies for secure token storage
  • Role-based access control (user/admin)
  • Two-factor authentication (2FA) support with Speakeasy
  • Password hashing with bcryptjs
  • Session tracking with device and IP information
  • Automatic token refresh mechanism

User Management

  • User registration with email and username
  • TRON wallet integration for each user
  • Profile management (email, username, password)
  • Recovery email configuration
  • User blocking/unblocking (admin)
  • Account activation status
  • Last login tracking

Product Management

  • Product CRUD operations (admin only)
  • Product categories: digital, physical, service
  • Stock management
  • Product activation/deactivation
  • Image URL support
  • Price management in TRX

Order Processing

  • Order creation with multiple products
  • Automatic order ID generation (#TRX-{number})
  • Order status tracking: pending, completed, refunded, failed, cancelled
  • Prevention of multiple pending orders per user
  • Product quantity and stock validation
  • Network fee calculation
  • Discount support

TRON Blockchain Integration

  • TronWeb integration for blockchain interactions
  • Wallet creation and management
  • TRX balance checking
  • TRX sending functionality
  • Transaction listener for payment confirmation
  • Automatic order status updates on blockchain confirmation
  • Transaction hash tracking
  • Testnet (Nile) and mainnet support

Transaction Management

  • Transaction recording for all blockchain operations
  • Transaction types: purchase, refund, deposit, withdrawal
  • Transaction status tracking: pending, confirmed, failed
  • Confirmation count tracking
  • Transaction history per user

Admin Panel

Dashboard Statistics

  • Total revenue
  • Total orders
  • Total customers
  • Pending orders count
  • Revenue trends (daily, weekly, monthly)
  • Order trends over time
  • Top products by sales
  • Recent transactions

Sales Management

  • Sales list with filters (status, date range)
  • Order status updates
  • Order refunds with on-chain transaction
  • Order details view

Customer Management

  • Customer list with total spent
  • Customer blocking/unblocking
  • Customer export functionality
  • Customer activity tracking

Product Management

  • Product creation and editing
  • Stock management
  • Product activation/deactivation
  • Product deletion

Real-Time Notifications

  • Socket.io integration
  • Real-time transaction confirmation notifications
  • User-specific notification rooms
  • Event: transaction:confirmed with order and transaction details

Security Features

  • Helmet.js for security headers
  • CORS configuration with whitelist
  • Rate limiting with express-rate-limit
  • HPP (HTTP Parameter Pollution) protection
  • Input validation with express-validator
  • SQL injection prevention via Mongoose
  • XSS protection
  • Secure cookie configuration

API Documentation

  • Swagger UI integration
  • OpenAPI 3.0 specification
  • Interactive API documentation at /api/docs
  • Complete endpoint documentation

Logging & Monitoring

  • Morgan HTTP request logging
  • Console logging for key operations
  • Error logging
  • Transaction listener status logging

Technical Stack

TechnologyVersionPurpose
Node.js16+Runtime environment
Express5.2.1Web framework
MongoDB-Database
Mongoose8.0.0ODM
TronWeb6.2.0TRON blockchain interaction
Socket.io4.8.3Real-time communication
JWT9.0.3Authentication tokens
bcryptjs2.4.3Password hashing
Helmet7.1.0Security headers
express-rate-limit7.1.5Rate limiting
express-validator7.0.0Input validation
Speakeasy2.0.02FA (TOTP)
QRCode1.5.4QR code generation
Swagger UI Express5.0.0API documentation

API Endpoints

Authentication

  • POST /api/auth/register - User registration
  • POST /api/auth/login - User login
  • POST /api/auth/logout - User logout
  • POST /api/auth/refresh-token - Refresh access token
  • GET /api/auth/profile - Get authenticated user profile

Orders

  • POST /api/orders - Create new order
  • POST /api/orders/:id/pay - Pay for order
  • GET /api/orders - Get user orders
  • PATCH /api/admin/orders/:id/status - Update order status (admin)
  • POST /api/admin/orders/:id/refund - Refund order (admin)

Products

  • GET /api/products - List products
  • POST /api/admin/products - Create product (admin)
  • PATCH /api/admin/products/:id - Update product (admin)
  • DELETE /api/admin/products/:id - Delete product (admin)

Transactions

  • GET /api/transactions - Get user transactions

Wallet

  • GET /api/wallets/balance - Get wallet balance
  • POST /api/wallets/send - Send TRX
  • POST /api/users/connect-wallet - Connect wallet

Admin

  • GET /api/admin/stats - Dashboard statistics
  • GET /api/admin/sales - Sales list
  • GET /api/admin/customers - Customer list
  • PATCH /api/admin/customers/:id/block - Block/unblock customer
  • POST /api/admin/customers/export - Export customer data

Security

  • POST /api/security/2fa/enable - Enable 2FA
  • POST /api/security/2fa/verify - Verify 2FA token

Sessions

  • GET /api/sessions - Get user sessions
  • DELETE /api/sessions/:id - Delete session

Users

  • GET /api/users/profile - Get profile
  • PATCH /api/users/profile - Update profile
  • PATCH /api/users/password - Update password

Database Models

User

  • Email and username authentication
  • Password hashing
  • TRON wallet storage
  • Role-based permissions
  • 2FA configuration
  • Account status tracking

Order

  • Sequential order ID generation
  • Multiple products per order
  • Status workflow
  • Payment tracking
  • Wallet address recording

Product

  • Category classification
  • Stock management
  • Price in TRX
  • Active status
  • Creator tracking

Transaction

  • Multi-type support (purchase, refund, etc.)
  • Blockchain hash tracking
  • Status progression
  • Confirmation counting
  • Order association

Session

  • User association
  • Device information
  • IP address tracking
  • Activity timestamps
  • Active status

Configuration

Environment Variables

MONGODB_URI=mongodb://localhost:27017/crypto-shop
NODE_ENV=development
PORT=3000
TRON_NETWORK=https://nile.trongrid.io
ACCESS_TOKEN_SECRET=your_access_token_secret
REFRESH_TOKEN_SECRET=your_refresh_token_secret
CLIENT_URL=http://localhost:3000
FRONTEND_URL=http://localhost:5173
MERCHANT_WALLET_ADDRESS=TMerchantAddress

Default Configuration

  • Access token expiry: 15 minutes
  • Refresh token expiry: 7 days
  • Cookie max age: 7 days
  • Network fee: -0.01 TRX
  • Default port: 3000
  • Transaction listener interval: 10 seconds

Architecture Highlights

Order Processing Flow

  1. User creates order → System validates products and stock
  2. Order created with status pending
  3. User initiates payment → TRX sent to merchant wallet
  4. Transaction recorded with status pending
  5. Transaction listener monitors blockchain
  6. On confirmation → Order status → completed
  7. Real-time notification sent via Socket.io

Authentication Flow

  1. User registers/logs in
  2. Server generates access + refresh tokens
  3. Tokens stored in HttpOnly cookies
  4. Access token used for API requests
  5. On expiry, refresh token obtains new access token
  6. Logout clears cookies

Middleware Stack

  1. Helmet (security headers)
  2. CORS (origin validation)
  3. Morgan (request logging)
  4. Rate limiting
  5. Cookie parser
  6. JSON body parser
  7. HPP (parameter pollution protection)
  8. Custom authentication middleware
  9. Route handlers

Known Limitations

  • Single merchant wallet per instance
  • No multi-currency support (TRX only)
  • Transaction listener runs on single instance (not cluster-safe)
  • No email notifications (Socket.io only)
  • No payment expiry mechanism
  • No automatic stock deduction on order completion

Future Roadmap

Planned Features

  • Multi-merchant support
  • Additional cryptocurrency support (USDT TRC-20)
  • Email notifications
  • Order expiry and auto-cancellation
  • Automatic stock management
  • Advanced analytics dashboard
  • Product reviews and ratings
  • Coupon/promo code system
  • Shipping address management
  • Order tracking
  • Webhook support for external integrations
  • API rate limiting per user
  • Advanced search and filtering
  • Product variants (size, color)
  • Wishlists
  • Shopping cart persistence

Migration Guide

This is the initial release. No migrations required.

Breaking Changes

None (initial release).

Bug Fixes

None (initial release).

Contributors

  • Pedro Luis Ramos Calla - Initial development and architecture

License

ISC License

Support

For technical support, bug reports, or feature requests:
  • Contact: Pedro Luis Ramos Calla
  • Repository: [Project Repository]
  • Documentation: /api/docs (Swagger)

Acknowledgments

Built with:
  • Express.js community
  • TRON blockchain
  • MongoDB
  • Socket.io
  • Open source contributors

Version History

VersionRelease DateStatus
1.0.0March 2026Current

Upgrade Instructions

This is the first release. Follow the Production Deployment Checklist for initial setup.

Deprecation Notices

None (initial release).

Security Advisories

No known security vulnerabilities at this time. Security Best Practices:
  • Always use HTTPS in production
  • Rotate JWT secrets regularly
  • Use hardware wallets for merchant accounts
  • Enable 2FA for admin accounts
  • Monitor transaction listener logs
  • Keep dependencies updated
  • Review security headers configuration
  • Implement proper backup procedures
This changelog follows Semantic Versioning and Keep a Changelog conventions.

Build docs developers (and LLMs) love

Get started for freeTalk to us